[Nfsen-discuss] Values corrected by sampling are too big

Wed, 30 Jun 2010 02:37:43 -0700 

Hello,

I've just upgraded to nfdump 1.6.1 and I noticed big differences in the data
saved in nfdump and the data actually on the network.

Here's my analysis on one router:
* sample rate advertised in the netflow packets: 200
* sample rate configured on the device: 200 (ip flow-sampling-mode
packet-interval 200)
* sample rate configured manually in %sources: 200 ( 'router1' => { 'port'
=> '9911', 'col' => '#99ff99', 'type' => 'netflow', 'optarg' => '-s -200'
},)

The problem is if I run this top, for instance (over 2M packets):

[r...@hail ~]# nfdump -r
/data/nfsen/profiles/live/router1/nfcapd.201006301125 -n 200 -s ip/pps -l 2M
'ip 89.122.71.48 and if 38'
Packet limit: > 2000000 packets
Top 200 IP Addr ordered by pps:
Date first seen          Duration Proto           IP Addr    Flows(%)
Packets(%)       Bytes(%)         pps      bps   bpp
2010-06-30 11:21:17.720   302.532 any        89.122.71.48        5(100.0)
3.9 G(100.0)    1.8 G(100.0)   12.9 M   47.2 M     0
2010-06-30 11:21:17.720   302.532 any        78.90.151.12        1(20.0)
3.9 G(100.0)    1.8 G(100.0)   12.9 M   47.2 M     0

Summary: total flows: 5, total bytes: 1.8 G, total packets: 3.9 G, avg bps:
47.2 M, avg pps: 12.9 M, avg bpp: 0
Time window: 2010-06-30 11:21:17 - 2010-06-30 11:26:20
Total flows processed: 820516, Blocks skipped: 0, Bytes read: 42667452
Sys: 0.092s flows/second: 8824270.8  Wall: 0.091s flows/second: 8966702.0
You have new mail in /var/spool/mail/root


I get something like 13 million pps on one interface (just for that IP). I
have attached a graph of total pps on that interface (ifindex 38) and you
can see that it never goes over 1.4M pps.

How can I troubleshoot this sampling issue?
For now, I will set sampling to -1 and do the correction elsewhere, but I
would like to solve it.

Regards,
Adrian

<<attachment: 2010-06-30_12-20-51_598x238.png>>

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to